My Yahoo Redirect Problem

[Erehwon]

If there's a better place to post this, please advise. When trying to go to
my home page, my.yahoo.com, I started getting a GoDaddy.com page instead.
Same problem if I pick the My Yahoo link from the main Yahoo.com page.
Title at top of page still says my.yahoo.com. Page indicates that "This web
page is parked free, courtesy of godaddy.com". Seems like I get the normal
page for a while, then the godaddy page will appear repeatedly for a several
hours followed by the normal page again for a while. Thought this might
just be a YAHOO issue but then saw the same thing on google.com for a couple
of hours. When problem occurs Firefox and Chrome also show godaddy instead
of yahoo/google page. Running IE 8 on Windows XP with updates current.
Using Zone Alarm and AVG and have also run Spybot and Ad-Aware. From what
I've looked at so far, I haven't seen anyone else reporting this problem so
concerned it may be on my end but not sure where else to look.

 

[David H. Lipman]

From: "Erehwon" <[email protected]>

| If there's a better place to post this, please advise. When trying to go to
| my home page, my.yahoo.com, I started getting a GoDaddy.com page instead.
| Same problem if I pick the My Yahoo link from the main Yahoo.com page.
| Title at top of page still says my.yahoo.com. Page indicates that "This web
| page is parked free, courtesy of godaddy.com". Seems like I get the normal
| page for a while, then the godaddy page will appear repeatedly for a several
| hours followed by the normal page again for a while. Thought this might
| just be a YAHOO issue but then saw the same thing on google.com for a couple
| of hours. When problem occurs Firefox and Chrome also show godaddy instead
| of yahoo/google page. Running IE 8 on Windows XP with updates current.
| Using Zone Alarm and AVG and have also run Spybot and Ad-Aware. From what
| I've looked at so far, I haven't seen anyone else reporting this problem so
| concerned it may be on my end but not sure where else to look.



You really haven't provided any real information but...

Download, install, update and then execute, Malwarebytes' Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

 

[David Kaye]

Thought this might
just be a YAHOO issue but then saw the same thing on google.com for a couple
of hours. When problem occurs Firefox and Chrome also show godaddy instead
of yahoo/google page.

It's not a Yahoo or Google problem. It may or may not be a computer problem.
The reason I say this is because I have a customer who has a problem with
getting a default Google page and then a random page, and it happens every
other time. Running his computer in my home it's fine. So, I thought it was
the router. Flashed the EPROM, cleared the router. No change. Unplugged and
reset the modem. No change. Changed DNS to OpenDNS. No change. Can't
figure it out. The computer is clean or has something very clever going on
that doesn't show up when it's being run on a different ISP.

Running IE 8 on Windows XP with updates current.
Using Zone Alarm and AVG and have also run Spybot and Ad-Aware. From what
I've looked at so far, I haven't seen anyone else reporting this problem so
concerned it may be on my end but not sure where else to look.

Try Malware Bytes Anti-Malware. I gave up on Ad-Aware a long time ago.
Spybot catches some stuff, but misses a lot, too. MBAM seems to be the best
at the moment.

 

[Erehwon]

If there's a better place to post this, please advise. When trying to go
to my home page, my.yahoo.com, I started getting a GoDaddy.com page
instead. Same problem if I pick the My Yahoo link from the main Yahoo.com
page. Title at top of page still says my.yahoo.com.

Tried the above advice and ran a "full scan" using malwarebytes. It found
two registry issues -
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d}
(Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3}
(Trojan.Agent) -> Quarantined and deleted successfully.

Unfortunately, problem remains. Found that if I do an "ipconfig /renew"
from command prompt the problem goes away for a short time but then returns.
Also discovered that problem occurs with other web sites such as Google. If
I do a Google search, for example, some of the links will work fine others
return a GoDaddy page. Same way with www.yahoo.com. I can follow some of
the links with no problems but others return the GoDaddy page. It doesn't
make any difference if I type in an address or select a link to it from
another page. Each time the GoDaddy page shows up the address bar and title
on the tab still show the correct page (My Yahoo, for example). If I do an
ipconfig/renew, I have no problem bringing up a link that I couldn't get
previously. After following a few more links, however, I start getting
GoDaddy on about a third to a half of them. Any other ideas ? My internet
connection is through a shared high speed internet connection provided by my
apartment complex. Not sure of source but not a "normal" provider like
Comcast. Is it possible for them to have some type of virus/malware on
their servers that's causing the problem?

 

[Dustin Cook]

Tried the above advice and ran a "full scan" using malwarebytes. It
found two registry issues -
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{
3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) ->
Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{
549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined
and deleted successfully.

Unfortunately, problem remains. Found that if I do an "ipconfig
/renew" from command prompt the problem goes away for a short time but
then returns. Also discovered that problem occurs with other web sites

Sounds like a DNS issue. Have you tried switching over to opendns servers?

 

[David Kaye]

Unfortunately, problem remains. Found that if I do an "ipconfig /renew"
from command prompt the problem goes away for a short time but then returns.

To me this sounds like your modem or even your ISP is compromised. Wow.

 

[Virus Guy]

Unfortunately, problem remains. Found that if I do an
"ipconfig /renew" from command prompt the problem goes
away for a short time but then returns.
Also discovered that problem occurs with other web sites such
as Google. If I do a Google search, for example, some of the
links will work fine others return a GoDaddy page.

1) You still have malware on your PC. Remove the harddrive and connect
it as a slave to a second (trusted) PC and scan the drive with AV
software on the second PC.

2) If you don't do (1), then check the hosts file for tampering.

3) Hardcode your DNS entry on the PC in question. Go to your TCP/IP
properties and set the DNS to 4.2.2.2. That will bypass any dynamic DNS
assignment that you're getting from your ISP or your modem/router. Your
modem/router may have been infected with something.

 

[gufus]

Hello, Virus!

You wrote on Tue, 20 Apr 2010 08:49:39 -0400:

VG> 2) If you don't do (1), then check the hosts file for tampering.

I'd set the HOSTS file to READ-ONLY too..

 

[David H. Lipman]

From: "gufus" <[email protected]>

| Hello, Virus!

| You wrote on Tue, 20 Apr 2010 08:49:39 -0400:

VG>> 2) If you don't do (1), then check the hosts file for tampering.

| I'd set the HOSTS file to READ-ONLY too..

Worthless proposition as it is a waste of time. Any software can change the attribute
back to Read/Write.

Next...

 

[Erehwon]

1) You still have malware on your PC. Remove the harddrive and connect
it as a slave to a second (trusted) PC and scan the drive with AV
software on the second PC.

2) If you don't do (1), then check the hosts file for tampering.

3) Hardcode your DNS entry on the PC in question. Go to your TCP/IP
properties and set the DNS to 4.2.2.2. That will bypass any dynamic DNS
assignment that you're getting from your ISP or your modem/router. Your
modem/router may have been infected with something.

3) Fingers crossed that problem may have been resolved by changing DNS, but
will need more time to confirm. DNS has remained unchanged over at least
the past 6 months, but changing to 4.2.2.2 seems to have eliminated problem.
What does that indicate about the cause of the problem in the first place
and where is 4.2.2.2?

1) Did not have another compatible computer to try scanning drive.

2) Hosts file indicates last modified in November. Reviewed anyway and all
redirects are to 127.0.0.1.

 

[David Kaye]

I'm not sure how HOSTMAN works, but it keeps the HOSTS file pretty well
locked up. Explorer doesn't even show the read only attribute as checked,
but if you try to alter it, you can't.

Back when I was routinely adding the MSMVP host file to my customer computers
I did not find even a single instance where any subsequent malware changed the
write permissions on the file or added or changed any entries.

In fact, the hosts file idea works so well I'm considering implementing it
again with future customers.

 

[David H. Lipman]

From: "Lil' Abner" <[email protected]>


| I'm not sure how HOSTMAN works, but it keeps the HOSTS file pretty well
| locked up. Explorer doesn't even show the read only attribute as checked,
| but if you try to alter it, you can't.

It holds the etc/hosts file handle open.

 

[gufus]

Hello, Erehwon!

You wrote on Tue, 20 Apr 2010 23:29:48 -0500:


E> eliminated problem. What does that indicate about the cause of the
E> problem in the first place and where is 4.2.2.2?
E>

Good question, where is 4.2.2.2

 

[gufus]

Hello, Erehwon!

You wrote on Tue, 20 Apr 2010 23:29:48 -0500:

E> 2) Hosts file indicates last modified in November. Reviewed anyway and
E> all redirects are to 127.0.0.1.
E>

That should be okay then, 127.0.0.1 is your "localhost" if I'm wrong I'm
sure someone will correct me. I only have basic networking skills.

 

[David H. Lipman]

From: "gufus" <[email protected]>

| Hello, Erehwon!

| You wrote on Tue, 20 Apr 2010 23:29:48 -0500:


E>> eliminated problem. What does that indicate about the cause of the
E>> problem in the first place and where is 4.2.2.2?


| Good question, where is 4.2.2.2

vnsc-bak.sys.gtei.net == 4.2.2.2

OrgName: Level 3 Communications, Inc.
OrgID: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US

NetRange: 4.0.0.0 - 4.255.255.255
CIDR: 4.0.0.0/8
NetName: LVLT-ORG-4-8
NetHandle: NET-4-0-0-0-1
Parent:
NetType: Direct Allocation
NameServer: NS1.LEVEL3.NET
NameServer: NS2.LEVEL3.NET
Comment:
RegDate: 1992-12-01
Updated: 2009-06-19

 

[David H. Lipman]

From: "gufus" <[email protected]>

| Hello, Erehwon!

| You wrote on Tue, 20 Apr 2010 23:29:48 -0500:

E>> 2) Hosts file indicates last modified in November. Reviewed anyway and
E>> all redirects are to 127.0.0.1.


| That should be okay then, 127.0.0.1 is your "localhost" if I'm wrong I'm
| sure someone will correct me. I only have basic networking skills.


That is the diagnostic responder IP address which resolves to the local PC. Thus no
redirection, just no web site access referred to in the etc/hosts table.

 

[gufus]

Hello, David!

You wrote on Wed, 21 Apr 2010 16:36:00 -0400:

E>>> 2) Hosts file indicates last modified in November. Reviewed anyway
E>>> and all redirects are to 127.0.0.1.
DHL>
DHL>
FL>> That should be okay then, 127.0.0.1 is your "localhost" if I'm wrong
FL>> I'm sure someone will correct me. I only have basic networking skills.
DHL>
DHL>
DHL> That is the diagnostic responder IP address which resolves to the
DHL> local PC. Thus no redirection, just no web site access referred to in
DHL> the etc/hosts table.

Okay, thus your "localhost" the local PC, no redirection. (makes sense)

 

[gufus]

Hello, David!

You wrote on Wed, 21 Apr 2010 16:34:50 -0400:

E>>> eliminated problem. What does that indicate about the cause of the
E>>> problem in the first place and where is 4.2.2.2?
DHL>
DHL>
FL>> Good question, where is 4.2.2.2
DHL>
DHL> vnsc-bak.sys.gtei.net == 4.2.2.2

'k

BTW, check your email.

 

[David H. Lipman]

From: "gufus" <[email protected]>

| Hello, David!

| You wrote on Wed, 21 Apr 2010 16:34:50 -0400:

E>>>> eliminated problem. What does that indicate about the cause of the
E>>>> problem in the first place and where is 4.2.2.2?


FL>>> Good question, where is 4.2.2.2

DHL>> vnsc-bak.sys.gtei.net == 4.2.2.2

| 'k

| BTW, check your email.

Nada at 1737hrs :-(

 

[gufus]

Hello, David!

You wrote on Wed, 21 Apr 2010 17:37:39 -0400:

DHL>
FL>> BTW, check your email.
DHL>
DHL> Nada at 1737hrs :-(

That's StupidGate (SoupGate)... or me.